// // Google Protobuf Definition for Carbon Black Sensor Events // // Copyright 2015-2017 Carbon Black, Inc. // syntax="proto2"; message CbHeaderMsg { required int32 version = 1; // 4 optional int32 bootid = 2; // deprecated optional int32 eventid = 3; // deprecated optional int64 timestamp = 4; // FILETIME optional int64 process_guid = 5; // deprecated; only provided for backwards compatibility optional int64 filepath_string_guid = 6; // lookup key for CbStringMsg optional uint32 magic = 7; // deprecated optional int64 process_filepath_string_guid = 8; // lookup key for CbStringMsg optional int64 process_create_time = 9; // FILETIME format optional int32 process_pid = 10; // Windows Process Identifier (PID) optional bytes process_md5 = 11; optional string process_path = 12; optional int32 fork_pid = 13; optional bytes process_sha256 = 14; } message CbStringMsg { enum CbStringType { typeFilepath = 1; typeRegpath = 2; // deprecated typeNetpath = 3; // deprecated } optional int64 guid = 1; optional bytes utf8string = 2; optional CbStringType string_type = 3 [default = typeFilepath]; } message CbProcessMsg { optional int32 pid = 1; // deprecated; see process_pid in header optional bool created = 2; // false means the process is exiting // on created filepath_string_guid will be // the path to the process base module on disk optional int32 parent_pid = 3; optional int64 parent_create_time = 4; optional int64 parent_guid = 5; // deprecated; only for backwards compatibility optional bytes md5hash = 6; // only set on created = true optional bool have_seen_before = 7; // if true, we've sent this before optional int64 deprecated = 8; // formerly commandlinestringguid; command line now inline (see next line) optional bytes commandline = 9; optional bytes parent_md5 = 10; // parent process md5 optional string parent_path = 11; // parent process qualified filename optional bool creationobserved = 12 [default=false]; // was the creation of this process observed, or // already running at sensor start time optional bool expect_followon_w_md5 = 13 [default=false]; // sensor is attempting to calculate the md5 of the process // and will send a new process message with md5 when calc complete optional string uid = 14; // uid or SID of process security context optional string username = 15; // username of process security context repeated CbEmetMitigationAction actions = 16; optional bool actionsAreFromGPO = 17 [default=false]; // tells us where "actions" came from optional bool bFilteringKnownDlls = 18 [default=false]; optional bytes sha256hash = 19; optional bytes parent_sha256 = 20; } message CbSuppressedInfo { enum CbSuppressedProcessState { suppressedEventlessModloads = 1; // proc with no events except modloads suppressedEventlessWithXproc = 2; // proc with only modloads and xproc } optional bool bIsSuppressed = 1 [default=false]; optional CbSuppressedProcessState state = 2; } // // ChildProcessMsg is a subset of CbProcessMsg // It is used in support of allowing viewing of child processes in the event // stream (for example, in the UI's process analysis page) and in allowing // child processes to be tagged as events. // message CbChildProcessMsg { enum CbChildProcType { childProcExec = 0; // default (only type supported on WIN) childProcFork = 1; childProcOtherExec = 2; // when a posix process calls exec() then exec() } optional bool created = 1; // creation:true::term:false optional int64 parent_guid = 2; // deprecated; only provided for backwards compatibility optional bytes md5hash = 3; // md5 hash of child process optional int64 child_guid = 4; // guid of child process (for link) optional string path = 5; // path of child process (c:\a.exe) optional int64 pid = 6; // Process Identifier (PID) for human consumption optional int64 create_time = 7; // higher resolution timestamp of process creation (FILETIME format) optional bool tamper = 8 [default=false]; optional CbSuppressedInfo suppressed = 9; // if not present - not suppressed optional bytes commandline = 10; // used for suppressed children optional string username = 11; // used for suppressed children optional CbChildProcType childProcType = 12 [default=childProcExec]; optional bool tamper_sent = 13 [default=false]; // tamper event was already sent from kernel optional bytes sha256hash = 14; // sha256 hash of child process } message CbModuleLoadMsg { optional int64 guid = 1; // deprecated optional int64 handlepath_string_guid = 2; // find the module (binary) path via the CbStringMsg optional bytes md5hash = 3; // 16 byte md5 sum optional int32 scanid = 4; // deprecated optional bool is_process_base_module = 5; // deprecated optional int64 image_base = 6; // deprecated optional uint32 image_size = 7; // deprecated optional bytes sha256hash = 8; } message CbFileModMsg { enum CbFileModAction { actionFileModCreate = 1; // file was created actionFileModWrite = 2; // file was modified (any write, at any offset) actionFileModDelete = 4; // file was deleted actionFileModLastWrite = 8; // newly-written file 'completed' CbFileModMsg will include filetype and md5 actionFileModOpen = 16; // Tamper opens of the carbonblackk device } enum CbFileType { filetypeUnknown = 0x0000; filetypePe = 0x0001; // windows filetypeElf = 0x0002; // linux filetypeUniversalBin = 0x0003; // osx filetypeEicar = 0x0008; filetypeOfficeLegacy = 0x0010; filetypeOfficeOpenXml = 0x0011; filetypePdf = 0x0030; filetypeArchivePkzip = 0x0040; filetypeArchiveLzh = 0x0041; filetypeArchiveLzw = 0x0042; filetypeArchiveRar = 0x0043; filetypeArchiveTar = 0x0044; filetypeArchive7zip = 0x0045; } optional int64 guid = 1; // deprecated optional CbFileModAction action = 2; // CbFileModAction enum optional bool have_seen_before = 3; // deprecated optional bytes md5hash = 4; // present for actionFileModLastWrite only optional CbFileType type = 5; // CbFileType enum; present for actionFileModLastWrite only optional bool tamper = 6 [default=false]; optional bool tamper_sent = 7 [default=false]; // tamper event was already sent from kernel optional bytes sha256hash = 8; } message CbRegModMsg { enum CbRegModAction { actionRegModCreateKey = 1; actionRegModWriteValue = 2; actionRegModDeleteKey = 4; actionRegModDeleteValue = 8; } optional int64 guid = 1; // deprecated optional CbRegModAction action = 2; // CbRegModAction enum optional bool have_seen_before = 3; // deprecated optional bytes utf8_regpath = 4; // value name appended to key for DeleteValue and WriteValue action types optional bool tamper = 5 [default=false]; optional bool tamper_sent = 6 [default=false]; // tamper event was already sent from kernel } // // describes an inbound or outbound network connection // now deprecated in favor of CbNetConnMsgv2 // message CbNetConnMsg { enum ProtocolType { ProtoTcp = 6; // RFC 793 ProtoUdp = 17; // RFC 768 } optional int64 guid = 1; // deprecated optional uint32 ipv4Address = 2; // may not be present when web proxy used optional uint64 ipv6LoPart = 3; // not supported optional uint64 ipv6HiPart = 4; // not supported optional uint32 port = 5; optional ProtocolType protocol = 6; optional bytes utf8_netpath = 7; optional bool outbound = 8 [default=true]; optional bool proxyConnection = 9 [default=false]; optional uint32 proxyIpv4Address = 10; // ip of the web proxy itself optional uint32 proxyPort = 11; // port (tcp) of the web proxy itself optional string proxyNetPath = 12; // dns name of the web proxy itself optional uint32 remoteIpAddress = 13; // foreign address optional uint32 remotePort = 14; // foreign port optional uint32 localIpAddress = 15; // local address optional uint32 localPort = 16; // local port } message CbIpAddr { optional bool bIsIpv6 = 1 [default=false]; optional uint32 ipv4Address = 2; optional uint64 ipv6Low = 3; optional uint64 ipv6High = 4; optional string ipv6Scope = 5; } // // this supersedes CbNetConnMsg // message CbNetConnMsgv2 { enum ProtocolType { ProtoTcp = 6; // RFC 793 ProtoUdp = 17; // RFC 768 } optional ProtocolType protocol = 1; optional bytes utf8_netpath = 2; optional bool outbound = 3 [default=true]; optional bool proxyConnection = 4 [default=false]; optional CbIpAddr proxyIpAddress = 5; // ip of the web proxy itself optional uint32 proxyPort = 6; // port (tcp) of the web proxy itself optional string proxyNetPath = 7; // dns name of the web proxy itself optional CbIpAddr remoteIpAddress = 8; // foreign address optional uint32 remotePort = 9; // foreign port optional CbIpAddr localIpAddress = 10; // local address optional uint32 localPort = 11; // local port } // // this supersedes CbNetConnBlockedMsg // message CbNetConnBlockedMsgv2 { enum NetconnBlockType { NetworkIsolation = 1; // Connection was blocked due to network isolation } enum ProtocolType { ProtoTcp = 6; // RFC 793 ProtoUdp = 17; // RFC 768 } optional NetconnBlockType blockedType = 1; // Info about the connection that was blocked: optional uint32 port = 2; optional ProtocolType protocol = 3; optional bytes utf8_netpath = 4; optional bool outbound = 5 [default=true]; optional bool proxyConnection = 6 [default=false]; optional CbIpAddr proxyIpAddress = 7; // ip of the web proxy itself optional uint32 proxyPort = 8; // port (tcp) of the web proxy itself optional string proxyNetPath = 9; // dns name of the web proxy itself optional CbIpAddr remoteIpAddress = 10; // foreign address optional uint32 remotePort = 11; // foreign port optional CbIpAddr localIpAddress = 12; // local address optional uint32 localPort = 13; // local port } // // deprecated // message CbLinStatsMsg { optional int32 lin_total = 1; // deprecated optional int32 lin_successful = 2; // deprecated optional int32 lin_no_scanidi = 3; // deprecated optional int32 lin_total_pended = 4; // deprecated optional int32 lin_current_scanid_pended_size = 5; // deprecated optional int32 lin_current_handlepath_pended_size = 6; // deprecated optional int32 lin_current_filepath_pended_size = 7; // deprecated } message CbCrossProcessOpenMsg { enum OpenType { OpenProcessHandle = 1; OpenThreadHandle = 2; } optional OpenType type = 1; optional uint32 targetPid = 2; // pid of the process being acted upon optional uint64 targetProcCreateTime = 3; optional uint32 requestedAccess = 4; // Desired Access for OpenThread/Process optional string targetProcPath = 5; // the path of the target process optional bytes targetProcMd5 = 6; // the md5 sum of the target process optional bytes targetProcSha256 = 7; // the sha256 sum of the target process } message CbCreateRemoteThreadMsg { optional uint32 remoteProcPid = 1; // pid of process the thread was created in optional uint64 remoteProcCreateTime = 2; // create time of the target process optional string remoteProcPath = 3; // the path of the target process optional bytes remoteProcMd5 = 4; // the md5 sum of the target process optional bytes remoteProcSha256 = 5; // the sha256 sum of the target process } // // CbCrossProcessEvent // // Activities from a process that cross into other process // // These are reported in terms of the offending (from) process in the header // message CbCrossProcessMsg { optional CbCrossProcessOpenMsg open = 1; // openprocess or openthread optional CbCreateRemoteThreadMsg remotethread = 2; // createRemoteThread optional bool tamper = 3; // potential tamper event optional bool isTarget = 4; // is process actor or target of crossproc event optional bool tamper_sent = 5 [default=false]; // tamper event was already sent from kernel } message CbProcessBlockedMsg { enum BlockType { MD5Hash = 1; //Process was blocked due to its md5 hash } enum BlockEvent { ProcessCreate = 1; // We blocked a process from fully starting RunningProcess = 2; // We killed an already running process } enum BlockResult { ProcessTerminated = 0; // Process was blocked/terminated successfully NotTerminatedCBProcess = 1; // Someone tried to kill cb.exe NotTerminatedSystemProcess = 2; // Someone tried to kill pid 0/pid 4 NotTerminatedCriticalSystemProcess = 3; // Someone tried to kill a process registered as a critical system process NotTerminatedWhitelistedPath = 4; // Someone tried to kill a process that matched one of our never kill rules NotTerminatedOpenProcessError = 5; // Failed to get a handle to the process to kill it. When set, openProcessError will be set with the error code NotTerminatedTerminateError = 6; // An error occurred when we tried to kill the process. When set, terminteError will be set with the error code } optional BlockType blockedType = 1; optional BlockEvent blockedEvent = 2; optional bytes blockedmd5Hash = 3; optional string blockedPath = 4; // For blocked/terminated process, this is the process that was blocked optional BlockResult blockResult = 5; // Used to determine if the process was actually terminated or if an error occurred optional uint32 blockError = 6; // Error code Only set if blockResult == NotTerminatedOpenProcessError or NotTerminatedTerminateError optional int32 blockedPid = 7; // The pid of the process that was terminated (or attempted to be terminated). Not set if process is blocked before it started optional uint64 blockedProcCreateTime = 8; // The creation time of the process that was terminated (or attempted to be terminated). Not set if process is blocked before it started optional string blockedCmdline = 9; // The cmdline of the process that was blocked or terminated optional string blockedUid = 10; // User id of the process that was blocked. Only set if blockedEvent == ProcessCreate and blockResult == ProcessTerminated optional string blockedUsername = 11; // User name of the process that was blocked. Only set if blockedEvent == ProcessCreate and blockResult == ProcessTerminated } // // deprecated in favor of CbNetConnBlockedMsgv2 // message CbNetConnBlockedMsg { enum NetconnBlockType { NetworkIsolation = 1; // Connection was blocked due to network isolation } enum ProtocolType { ProtoTcp = 6; // RFC 793 ProtoUdp = 17; // RFC 768 } optional NetconnBlockType blockedType = 1; // Info about the connection that was blocked: optional uint32 ipv4Address = 2; // may not be present when web proxy used optional uint64 ipv6LoPart = 3; // not supported optional uint64 ipv6HiPart = 4; // not supported optional uint32 port = 5; optional ProtocolType protocol = 6; optional bytes utf8_netpath = 7; optional bool outbound = 8 [default=true]; optional bool proxyConnection = 9 [default=false]; optional uint32 proxyIpv4Address = 10; // ip of the web proxy itself optional uint32 proxyPort = 11; // port (tcp) of the web proxy itself optional string proxyNetPath = 12; // dns name of the web proxy itself optional uint32 remoteIpAddress = 13; // foreign address optional uint32 remotePort = 14; // foreign port optional uint32 localIpAddress = 15; // local address optional uint32 localPort = 16; // local port } // // deprecated // message CbStatisticsMsg { optional CbLinStatsMsg lin_stats = 1; // deprecated } // // CbModuleInfoMsg // // describes certain sensor-calculated metadata associated with an individual PE module // message CbModuleInfoMsg { optional bytes md5 = 1; optional uint32 CopiedModuleLength = 2; optional uint64 OriginalModuleLength = 3; optional string utf8_FileDescription = 4; optional string utf8_CompanyName = 5; optional string utf8_ProductName = 6; optional string utf8_FileVersion = 7; optional string utf8_Comments = 8; optional string utf8_LegalCopyright = 9; optional string utf8_LegalTrademark = 10; optional string utf8_InternalName = 11; optional string utf8_OriginalFileName = 12; optional string utf8_ProductDescription = 13; optional string utf8_ProductVersion = 14; optional string utf8_PrivateBuild = 15; optional string utf8_SpecialBuild = 16; optional string utf8_DigSig_Publisher = 17; optional string utf8_DigSig_ProgramName = 18; optional string utf8_DigSig_IssuerName = 19; optional string utf8_DigSig_SubjectName = 20; optional string utf8_DigSig_Result = 21; // human-readable version of DigSig_ResultCode optional string utf8_DigSig_ResultCode = 22; // preferable to utf8_DigSig_Result; encoded as hex string with 0x prefix optional string utf8_DigSig_SignTime = 23; optional bytes Icon = 24; // BASE64(PNG) optional bytes ImageFileHeader = 25; // IMAGE_FILE_HEADER from PE header; expected to be 20 bytes optional string utf8_OnDiskFilename = 26; // filename of the file as it was found on the filesystem (not an internal name) optional bytes sha256 = 27; } // // file-write message // // describe the write of a single file // // WARNING: This is an unsupported message and subject to change // message CbVtWriteMsg { optional bytes WritingProcessExeMd5 = 1; // unsupported optional bytes FileWrittenMd5 = 2; // unsupported optional bool FileWrittenIsPeModuleHint = 3; // unsupported optional string WritingProcessFilename = 4; // unsupported optional string FileWrittenFilename = 5; // unsupported } // // deprecated // message CbVtLoadMsg { optional bytes LoaderProcessExeMd5 = 1; // deprecated optional bytes LoadedModuleMd5 = 2; // deprecated } // // describes the sensor and host on which the event was collected // message CbEndpointEnvironmentMsg { optional int32 SensorId = 1; // sensor id of the endpoint from which the message originated optional string SensorHostName = 2; // hostname of the endpoint from which the message originated optional int64 HostId = 3; // unsupported } // // describes the server on which the event was received and processed // message CbServerEnvironmentMsg { optional int32 NodeId = 1; // node id of the service which received the message; for clustered server setups } // // describes the environment on which the event was collected, // transmitted, and received. // // populated by the server at import time, not by the sensor // at collection or transmission time // message CbEnvironmentMsg { optional CbEndpointEnvironmentMsg endpoint = 1; optional CbServerEnvironmentMsg server = 2; } // // the follow are for tamper "alerts" that don't // fit within events that are associated with a specific process // message CbTamperAlertMsg { enum CbTamperAlertType { AlertCoreDriverUnloaded = 1; // carbonblackk unloaded (actually happens before the unload) AlertNetworkDriverUnloaded = 2; // cbstream or cbtdiflt stopped AlertCbServiceStopped = 3; // carbonblack service stopped AlertCbProcessTerminated = 4; // cb.exe has ended/was terminated AlertCbCodeInjection = 5; // non-image based code injected into cb.exe } optional CbTamperAlertType type = 1; optional bool tamper_sent = 2 [default=false]; // tamper alert was already sent from kernel } // // this is the event messages corresponding to EMET // events from the host // message CbEmetMitigationAction { enum CbEmetMitigationTypes { actionDep = 1; actionSehop = 2; actionAsr = 3; actionAslr = 4; actionNullPage = 5; actionHeapSpray = 6; actionMandatoryAslr = 7; actionEaf = 8; actionEafPlus = 9; actionBottomUpAslr = 10; actionLoadLibrary = 11; actionMemoryProtection = 12; actionSimulateExecFlow = 13; actionStackPivot = 14; actionCallerChecks = 15; actionBannedFunctions = 16; actionDeepHooks = 17; actionAntiDetours = 18; } optional CbEmetMitigationTypes mitigationType = 1; } message CbEmetMitigationMsg { optional uint64 emetId = 1; optional uint64 emetTimstamp = 2; optional CbEmetMitigationAction action = 3; optional string actionText = 4; optional bool blocked = 5 [default=false]; } message CbProcessMetadataMsg { optional int64 process_guid = 1; optional int64 process_create_time = 2; optional int32 process_pid = 3; optional bytes process_md5 = 4; optional string process_path = 5; optional string uid = 6; optional string username = 7; optional bytes commandline = 8; // parent info optional int32 parent_pid = 9; optional int64 parent_create_time = 10; optional bytes parent_md5 = 11; optional string parent_path = 12; // Count fields contain cumulative event counts for this process optional int32 modload_count = 13; optional int32 filemod_count = 14; optional int32 netconn_count = 15; optional int32 regmod_count = 16; optional int32 childproc_count = 17; optional int32 crossproc_count = 18; optional int32 emet_count = 19; optional int32 processblock_count = 20; // segment type tracking optional int64 sensor_start_time = 21; optional int64 sensor_segment = 22; // a per sensor-start segment id. sensor_start_time.sensor_segment is unique optional bool creationobserved = 23 [default=false]; // was the creation of this process observed, or repeated CbEmetMitigationAction actions = 24; optional bytes process_sha256 = 25; optional bytes parent_sha256 = 26; } message CbEventMsg { required CbHeaderMsg header = 1; repeated CbStringMsg strings = 2; optional CbProcessMsg process = 3; optional CbModuleLoadMsg modload = 4; optional CbFileModMsg filemod = 5; optional CbNetConnMsg network = 6; optional CbRegModMsg regmod = 7; optional CbStatisticsMsg stats = 8; // deprecated optional CbModuleInfoMsg module = 9; optional CbVtWriteMsg vtwrite = 10; // unsupported optional CbVtLoadMsg vtload = 11; // deprecated optional CbChildProcessMsg childproc = 12; optional CbEnvironmentMsg env = 13; // populated by server at event-export time optional CbCrossProcessMsg crossproc = 14; optional CbTamperAlertMsg tamperAlert = 15; optional CbProcessBlockedMsg blocked = 16; optional CbEmetMitigationMsg emet = 17; optional CbNetConnBlockedMsg netconnBlocked = 18; optional CbProcessMetadataMsg processMeta = 19; optional CbNetConnMsgv2 networkv2 = 20; // added post-5.2 for ipv6 support optional CbNetConnBlockedMsgv2 netconnBlockedv2 = 21; // added post-5.2 for ipv6 support }